CC.3: Threat modeling

What threat models do you know exist in your community? Which ones resonate with you the most?

We have a lot of identity theft and financial scamming in our community. They particularly prey on our older patrons. But the one that resonates the most with me is misinformation. It’s using a person’s search history or view history to lure them down a rabbit hole of nonsense that they eventually come to believe is true.

The assets in this situation are your ability to make a decision for yourself, as well as tangible things like your money or your vote.
The adversaries are the troll farms that spit this stuff out, as well as various political or community leaders. As well as the ads or financial aspects that are only interested in clicks.
Capabilities… I would suppose that would be the algorithms and cookies and what-not that help drag you further down the hole.
Outcomes: As a result, you can damage your mental and physical health. You can lose friends and family over these types of videos and articles. You lose your ability to think critically and assess information. You also lose your ability to be your own person. This can also lead, in some cases, to financial ruin or committing heinous crimes.

Not sure if that fits perfectly, but it’s something I’ve been thinking about for a long time.

1 Like

I think I focus most on (lately) the students and the faculty who teach “high profile” courses or have been known to disagree with school board decisions.

Semi-related…I was doing some research on the transition to online teaching and ran across this site. Thought I’d share in case they are legit. I really like the “scenarios” section of the site. Seems similar to threat modeling examples.

1 Like

I see a lot of scam emails sent to older patrons. They don’t know the difference between safe and unsafe senders. There are emails about losing rental benefits or tax scams and its scary that I can’t educate all of them! I stopped one woman from answering an email about a fraudulent bank deposit, she was going to give them her bank log in information! Computer literacy and education about scams is something that is lacking.


I first learned about threat modeling in organizing spaces in Boston. Without going into much detail (for obvious reasons as we discuss privacy and risk), it was something some of the more radical direct actions required, especially with the ever present threat of fascists.

I remember when first learning it I was so humbled and grateful for the tool, because before having access to it, danger felt so overwhelming and inevitable that it was almost paralyzing to me. Before that point I had a hard time even getting started with proper infosec for myself as an individual because it felt like there was no way to protect against everything. I didn’t know where or how to start, or how to know when I would be “finished.”

Being introduced to threat models for specific actions and for specific information suddenly made the entire practice of information security click into place as an applicable and attainable practice.


This is such an interesting framing of reactionary radicalization. I’d never considered the idea of threat models applied to protecting oneself or others from malicious misinformation and dogwhistle rabbit-holes. In some ways, I suppose protecting information such as your search history, country, or contacts from the adversaries of the algorithms of youtube and Google, could aid, to some extent, in preventing this process. On the other hand, though, when I’ve used Tor or something, the “default” recommended content on many of these platforms are extremely reactionary, so it’s hard to say what to do in terms of what info to protect that would meaningfully prevent this stuff.

1 Like

This is so true. And sometimes scammers are so emotionally manipulative. Someone once targeted my grandmother by claiming to be a cousin who needed bail money!! It’s hard in those cases because the threat modeling of their generation (“stranger danger” etc.) is manipulated so easily with the internet. I think whether using that term or not, most people do have some basic threat models they use to navigate the world, but many people need to update them.

We have so many darned threats in our community–as a PR guy I see a TON on the community-based Facebook groups. I know this is an obvious one, but there are so many, and I have to pick one–here are two targets that .

Targets: So many.
Computer Literacy Struggles: We have a lot of folks who can barely operate a mouse, but spend half their lives on Facebook. They have no idea what www security would look like, much less www insecurity. It is frustrating to watch them fall, time-after-time, for stupid scammy tricks from our own fellow San Angeloans, like “The first 500 people to guess the right number is win a prize,” “or $500 for the first people to try my free product.” Assets: ID, location, financial info, rep.

Language-barrier and Cross-cultural Issues: We are two hours from our very fluid Tex-Mex border, and people take advantage of that to scam folks out of everything. Memes are so easily made and shared and can make something appear to be affiliated with something its not. From fake Shark Tank products, to faith-based calls for action, to phony missing-persons ads (VERY common here) people’s info is at high risk for being taken and abused.

I think we could all go on forever about the dangers of social media and online presence, but in an impoverished college town with a huge retired population, there is a lot of opportunity, and it is being well-exploited.

This is a great one, and it has privacy connections even if they’re a little more indirect than say, identity theft. Because a lot of the misinfo we are shown is because of what the algorithm thinks it knows about us, and what it’s told advertisers about us (and because there are no advertising standards, sometimes the ads themselves are the misinfo). So it gets into all these issues about the ecosystems themselves and how exploitative they are.

Right, the system is so choked with garbage that the default settings are sometimes the worst. Like if you go to Youtube without logging in, and watch pretty much any video, and leave it on autoplay, you’ll get shown Jordan Peterson videos after 2-3 videos. So misinformation is an example of a threat model where it’s not as easy as just changing some of your settings around. It’s a systemic problem, so we have to think about how to use our roles as library workers to influence collective change, using whatever is in our toolbox – programs, public education, collection development, and so on.

An increasingly high risk group, and a great example of a threat model which has significantly changed in the last few years, gaining in seriousness exponentially.

Also thanks for sharing the Student Privacy Pledge – it’s really excellent. Though sadly it hasn’t been widely adopted, which speaks to the priorities of schools more than anything.

I often joke that scamming is the only growth industry anymore. And even as much as scams have proliferated, it’s not getting any easier for regular people to identify them. Phishing works.

It’s classic social engineering, all of it. It seems way too simple to work, but it does.

And this is so true, and I think is part of how we combat things like scams and social engineering. Not just teaching people about what to look out for, but teaching them to trust their gut. Not that this is the main reason why scams succeed, but I think a lot about how there are a lot of messages that tell low digital literacy folks that they don’t know anything, that they should get over their fears and trust the computer. And actually lots of their fears are valid.

Yesssssss!!! It’s working!!!

Scams are definitely going to be a threat model that resonates in all communities, all types of libraries. Thinking about how they show up on Facebook, I’m just thinking about what the library could do to creatively push back against this on its own Facebook. Maybe you could do like, a scam roundup every Friday or something, with screenshots of scams you’ve seen in community groups that week (identifying info removed)? And then some non-shamey advice about how to identify and avoid them, how they present privacy risks, etc. Something that acknowledges that anyone can fall for a scam!


Ah! The Facebook round up is a great idea!


Stolen. I’m gonna get right on that for next week!

1 Like

As Alison mentioned at the beginning of the session, I found the Threat Modelling to be such a negative commentary on the status of our society and what we came to be. We came to use it as a societal device to teach individuals how to defend and prepare for unwanted threats or harassment and the risks to our privacy and safety. We don’t even know how to address and prevent them at a societal level as a nation or community. Instead, we ask individuals to get equipped with those skills and normalize the situations at individual levels. Unfortunately or fortunately, it seems the logical locus to address and mitigate the risks and threats at the individual level. In the meantime, most of the calls that I receive with my landline phone are some versions of scam calls. At my university, we are regularly notified of common phishing messages, and we also inform the IT department about any suspicious phishing attempts. I became numb about these incidents because they happen all the time. The prevailing politically divided environments reflected in the January 6th insurrection of the American Capital, the rise of white supremacy in North America, and the other threats posed by extreme groups elsewhere resonate with me the most. The extreme groups weaponize social media to target, attack and harass “reasonable” folks into miseries and victims to control their position. Recently, a webinar I attended explained how they use Twitter, and I learned some tools you can use to unlist and remove them from one’s Twitterverse. Some of those technical means to prevent unwanted attacks would be helpful. Most importantly, we need to recognize them and raise awareness of their tactics. The misinformation and political propaganda that persisted for many years in our society found new invigorated power in the digital environment.

Friday Fakes? Friday Fraud? I also realize that every Friday might be a little ambitious. Monthly Misinfo?

If this goes well and people are into it, you could use it as an opportunity to gauge interest in some programmatic offerings about avoiding scams and identity theft. While we aren’t getting into programs in this crash course (that’s the one in October), I could definitely help send along some teaching resources for that. Not to get too ahead of ourselves here :slight_smile: I just like thinking about how one thing can lead to the next.

Yes, I think weekly is a bit too much for us right now, but a monthly highlight would be helpful for our patrons.

I love the idea of some kind of scammy round-up! There’s so much shame tied up in online scamming, especially for folks who are impacted by them. It feels important to acknowledge and affirm that scams are created to capitalize off our emotions (it’s high pressure! large reward! limited time! catastrophic consequences!) and that anyone can fall for a scam.

I’m trying to think about a way to do this without completely overwhelming folks. I can imagine seeing a list of current scams might make the internet feel MORE daunting for some. I bet there’s a way to strike a good balance here.

1 Like

I appreciate this reflection and feel similarly - thread modeling feels like a powerful tool in segmenting something so large and overwhelming into something that I can comprehend and manage. Particularly since the “finishing point” is entirely individualized and subjective and also always moving as technologies and risks continue to change.

1 Like

Me too Asako. I think a lot about how after Trump lost, many of these people pivoted to focusing on school board fights and book banning. Frankly, I envy their organizational ability! Trying to imagine the other side organizing in such a way is…difficult. Like, what happened to “The Resistance”? No more Trump, and we never heard from those people again. Meanwhile, the reactionaries are getting increasingly more powerful. The privacy implications are many – not just in how they use social media to harass and doxx their opposition, but I also think of how they are trying to use law and policy (part of the surveillant assemblage) to target and punish trans children, parents of trans children, teachers, librarians…